Friday, 13 September 2013

A couple of
years ago, I thought LinkedIn was a “Facebook for professionals!” type
organisation, with colleagues discretely keeping in touch whenever there was a
pressing need. And it was a useful tool to understand what was happening within
the employment market.

Today, it seems
to be a different beast. I find it hard keeping up with stuff, mostly from people
so keen to start a discussion that all they do is republish a link to an old article.
Do they provide any of their own views on the issue in hand? Mostly not. So why
do they bother?

Possibly
because they’re keen to ensure that others notice the news, or perhaps because they’re
keen to get noticed as an “influencer” themselves.

And this is
a shame, as it devalues the occasions when someone actually has got something
interesting to say.

Also, I’m a little concerned that chum
of mine from France keeps asking me to stop inviting him to link with me. Much
as I respect him (and he is an extremely respectable professional), actually I don’t
remember inviting him, and I’m not sure which of the many settings on LinkedIn
I need to change to stop pestering him in future. His latest billet doux is
still couched in friendly terms, but I dread to think what will happen if I'm still sending him invites this time next
year:

“I’m getting regular
invitations to join your LinkedIn network -- do you think you could try to stop
these please? As I mentioned a while ago, it's nothing personal -- I just never
join this sort of network or acknowledge the invitations in any way (as doing
so encourages unsolicited emails from the network).”

If anyone knows how I
can stop my foul behaviour, please do get in touch.

Wednesday, 11 September 2013

There are just 218 days to go until 17 April 2014, which is
when European Parliamentarians hold their final sitting. Then, they pack up their
bags and they go home. Some will do a spot of campaigning while they wait for the
results of the European elections, which will be held between 22 and 25 May.

Parliamentary business that has not been
concluded will disappear. Work on new legislative proposals will resume shortly
before Parliamentarians embark on their 2014 summer break.

Compare this time period with what has happened in the 595 days that
have passed since Commissioner Reding announced “Ladies and Gentlemen, we have
done it”. What had she done? Well, on 25 January 2012 she had unveiled the
draft Regulation, containing that infamous set of proposals for a comprehensive
reform of Europe’s data protection law. Now, how many hours of debate have we
actually seen in the Chamber of the European Parliament on this issue in the
past 595 days? Or in the European Parliamentary committee rooms?

I do pay tribute to the long, long hours spent by so many public
officials in private sessions trying to thrash out a text that meets the needs
of citizens. I’m not suggesting for one moment that they have not worked
sufficiently hard or with sufficient determination. I understand that, during
one particularly fraught set of negotiations, one delegation arrived in the
meeting room complete with a camp bed to demonstrate their dedication to the
cause.(Or it might have been to protest
at the long hours that they were putting in - I was laughing so loud at the
first part of the tale that I didn’t hear the end.)

So much had been done – but there is so much more that needs to be done,
too.

So I ask you – is there really sufficient time in the next 218 days for the
European Parliament to comprehensively review the proposals, agree on
amendments, discuss their suggestions with the version currently under
consideration by the Governments of Member States, and pass legislation that
will bind a generation of European citizens to a new data protection law?

Given what we know of where the negotiations are?

I don’t think so.

But perhaps, like Baldrick, the Commission has a cunning plan.

Perhaps the plan (like one of Baldrick’s) is to invent a time machine
that will take us back to 26 January 2012 so that the European Parliament will
have another 813 days to work out what to do.

Or perhaps the Commission will rush proposals through the European Parliament
to change the current Gregorian calendar to introduce a new way of measuring
time, one where legislative proposals can be considered in a time warp of their
own.

Or, as a diversionary tactic, perhaps it’s time to admit that this
version of the Regulation isn’t going anywhere, but there is a little device
called a Directive that might stand a chance of making its way into law –
because, with Directives, Member States can ignore the bits they don’t
like exercise their own margin of appreciation over the way the rules will be implemented
and enforced in their own country.

When will we be told that this draft is a gonner?

I’m reminded of the wonderful verse in “Paradise by the dashboard light”

Before we go any further. Do you love me? Will you love me forever?
Whats it gonna
be boy? Come on...I can
wait all night... Whats it gonna be boy... yes or no?

The first European Commissioner to publicly announce that this measure
isn’t going to be getting anywhere will certainly be getting my vote come the
next elections.

So how will we feel when news of the demise of the Regulation, to be
replaced by a Directive (at some stage in the future) finally comes through?

As Meatloaf might have put it:

We
couldn't take it any longer, Lord we were crazed

And
when the news came upon us like a tidal wave

We
started swearing to our God and on our mothers’ grave

We’d
love the EU to the end of time

We
swore we’d love the EU to the end of time

Source:

I gratefully acknowledge the inspiration from James Dixon Barnes, who wrote
a similar ditty for Meatloaf.

Tuesday, 10 September 2013

Life as an
international data protection consultant can have its drawbacks. 3.30am starts,
queues at the airports, and working out how to pay the charge as the hire car
drives through yet another automatic toll barrier.

But it also
has its benefits. Hotel meals, meeting people for the first time, and (yes
even) explaining to new colleagues that, at least in the UK, the ICO has given
some thought to the issue at hand and has published some helpful guidance on
its website which can lovingly be copied and used, as it (mostly) is in line
with that country’s data protection rules, too.

As I go
about my business, I sense that what people are still generally after is practical
guidance on how to comply with the basic data protection rules.

My
international work has recently focussed on how to craft Privacy Impact
Assessments.To that end, I’m immensely
grateful for some new stuff that’s on the ICO’s website. A draft Code of
Practice is currently under consultation, and I’m pretty impressed with what I
read.

The previous
guidance was, putting it politely, not an easy read.Much was written by academics who, while no
doubt absolutely brilliant in their own worlds, found it hard to craft a text which
connected to people who lacked lofty educational achievements.

The new guidance
is much easier to read. Perhaps the Plain English Campaign has already reviewed
it. I’m a
great supporter of the Plain English Campaign. I met the campaign’s founder, Chrissie Maher
in the early 1990s, when working for the Association of British Insurers. I was
involved in a project which offered guidance to insurance companies on what was required
of them following the implementation of the Unfair Contract Terms Regulations
1989. (Linked with that project, I also remember speaking at a number of events where an official from the Office of Fair Trading was speaking,
explaining to the audience what the OFT’s views were. That official was Richard Thomas. But that’s
another story.)

Anyway, back
to the plot.

The new draft
Code from the ICO also commends a much easier way to complete a PIA – which can
only be good news to those of us who do them. Perhaps more thought has been given to the type
of people who are currently Data Protection Officers. Not all are qualified
solicitors, or even graduates. Many are people whose education was completed
atan earlier stage, and so it is all
the more important that the ICO commends a process that can be understood – and
followed – by someone who lacks professional data protection qualifications.

I’ve been
trying it out in foreign parts. I’ve tweaked it slightly, but for me, it works.
I’ll be explaining the ICO how I’ve tweaked it when I respond to their
consultation – the deadline for comments is 5 November - but meanwhile I do encourage
people to try it out and to see if it works for them.

The
Trilateral research and consulting group
recently published some authoritative work on PIAs, including a 523 page book
that can be bought (soft cover version £35.99) and a 267 page research report thatis available from the ICO’s website and can
be downloaded for free. The really key finding is the lack of PIAs that have
been carried out.

Hopefully,
the ICO’s simpler methodology to crafting one will be more eagerly adopted by
us data protection professionals, and more PIAs will find themselves in the
public domain.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.